[Swan] XFRMi Interface route based IPSec with right=%any
Rav Ya
ravin.ya90 at gmail.com
Tue Apr 28 23:32:00 UTC 2020
Hi Paul,
Thank you for your time.
Setting all the connections to "overlapip=yes" did not help. I am still
seeing the same “route already in use” error.
Any other suggestions? or workaround that might work?
Apr 28 19:13:40.288938: | route owner of "gateway02"[1] 10.11.0.2 unrouted:
"gateway01"[1] 10.11.0.1 erouted; eroute owner: "gateway01"[1] 10.11.0.1
erouted
Apr 28 19:13:40.288946: "gateway02"[1] 10.11.0.2 #7: cannot route -- route
already in use for "gateway01"[1] 10.11.0.1
If I understand correctly the next release (v3.32) will not have the legacy
KLIPS and shall support overlapping IPs. Is there a rollout date for the
next release?
Also, if I build the master branch I should not see this issue. Right?
-Rav Ya
On Tue, Apr 28, 2020 at 6:34 PM Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 28 Apr 2020, Rav Ya wrote:
>
> > Question: With this configuration, my the first tunnel comes up
> successfully but my second tunnel
> > fails with “route already in use” error?
>
> That is a bug. Can you try adding overlapip=yes to all connections ?
>
> > Given that I have two different XRFMi interfaces shouldn’t we allow
> route (0.0.0.0/0 -> 0.0.0.0/0
> > subnets) for individual XFRMi to run iBGP? What am I missing? Any
> recommendations please?
>
> It is because the legacy KLIPS stick did not support overlapping IPsec
> connections. We are about to rip out KLIPS, but got delayed by a few
> releases, so it is still in the last release (although it has been
> ripped out in git master).
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200428/ead024f9/attachment.html>
More information about the Swan
mailing list